Another day, another Android malware – This time, according to the latest findings of ESET’s IT security researchers, there is a new malware in Google Play Store that hijacks PayPal account to steal money – Researchers assessed that the malware is specifically targeting Android users and steals no less than $1,000.

The malware was first discovered in November 2018, and seems to be a combination of the functioning of a remotely controlled banking Trojan. It has a unique capability of exploiting Android Accessibility services using which it manages to target the official PayPal app. It hides in a battery optimization tool called Optimization Android and third-party apps stores as well as some apps on the Play Store are responsible for distributing it.

“We also spotted five malicious apps with similar capabilities in the Google Play store, targeting Brazilian users,” wrote ESET researcher Lukas Stefanko in his blog post.

Once the malware is launched, the app terminates without performing any function and its icon remains hidden. It discreetly starts performing its malicious activities while remaining hidden. There are mainly two functions that the app manages to perform. First, it steals money from the official PayPal accounts of its victims for which it needs to activate a malicious Accessibility service. It does so by presenting a request to Enable Statistics service to the user.

If the compromised device features an official PayPal app, the malware prompts the user with a notification for launching it. As soon as the PayPal app is launched and the user logs in, the already enabled accessibility service steps in to deceive the user into sending the money to the attacker’s PayPal account. This entire process is finished within ten seconds and within such little time, it becomes impossible for the user to detect foul play.

ESET researcher Lukas Stefanko identified that the app attempts to transfer 1000 euros (1,150 USD) but the currency varies according to the victim’s geographic location. The reason why the malware is able to successfully steal from the user’s PayPal account is that it doesn’t try to steal login credentials of the victim but patiently waits for the user to log in to PayPal. This way, it evades the 2FA process of PayPal.

The second function that the app performs is to display HTML-based phishing screens of five legitimate apps including WhatsApp, Google Play, Gmail, Viber, and Skype. On the screens, the user is prompted to enter the credit card number. The screen can also be of banking apps to retrieve banking credentials. On Gmail, it asks for Gmail login credentials.

At the time of publishing this article; the malware app was removed from Play Store, however, to stay protected, you need to uninstall Optimization Android if you have downloaded it and change the passwords of your banking and PayPal accounts. Moreover, never download apps from third-party app stores. You can do that by accessing your Android device’s security settings and disabling Unknown Sources.

The disabling Unknown Sources feature is available on devices running Android 7 Nougat or earlier versions while for higher Android versions like Android 8 Oreo and above you need to access Settings menu and click on Not Allows on Install unknown apps option located in Apps>Special Access.

“The popularity and adoption of smartphones have greatly stimulated the spread of mobile malware, especially on popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples,” said Yajin Zhou and Xuxian Jiang, Department of Computer Science at NCState.

If you are about to download an Android app make sure to go through its reviews as most of the times users who have already installed the app provide their feedback about its performance. Also, keep your device updated and scan it on regular basis with an anti-malware. Here is a list of 10 powerful antiviruses for Windows, Mac, Android, and iPhone devices. Stay safe online.

Waqas Amir is a UK-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in Milan, Italy.